MAL-2024-11565
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crypto-regex-checker/MAL-2024-11565.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2024-11565
- Published
- 2024-10-07T22:16:18Z
- Modified
- 2026-03-19T12:52:08.660569Z
- Summary
- Malicious code in crypto-regex-checker (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (a849790638e062a67e51026ebcd7d23b06a5cb901a1b74ce74bcf09762511538)
Inside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-10-fake-usreagent
Reasons (based on the campaign):
infostealer
files-exfiltration
clipboard-stealing
obfuscation
clones-real-package
action-hidden-in-lib-usage
- Database specific
{ "iocs": { "domains": [ "ethscanold.com", "crypto-api.net" ], "urls": [ "https://ethscanold.com/ex_ewq1/2e.exe", "https://ethscanold.com/ex_ewq1/cdr2.exe", "https://ethscanold.com/r.php" ] }, "malicious-packages-origins": [ { "source": "reversing-labs", "id": "RLMA-2024-11012", "modified_time": "2024-12-09T06:50:03Z", "sha256": "84667c3f4be75cd2806fbf4e66a14a306eb6cefa9d0c3d779ba6253de1c8c962", "versions": [ "1.6.7", "1.6.8", "1.6.9", "1.7.1", "1.7.2", "1.7.3", "1.7.4", "1.7.5" ], "import_time": "2024-12-09T14:38:42.631209647Z" }, { "source": "kam193", "id": "pypi/2024-10-fake-usreagent/crypto-regex-checker", "modified_time": "2024-10-07T22:16:18Z", "sha256": "127ee4017c49094a53dbfde80a942032bdde632010f2124401910c0cff1d18e1", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T22:30:55.080031089Z" }, { "source": "kam193", "id": "pypi/2024-10-fake-usreagent/crypto-regex-checker", "modified_time": "2024-10-07T22:16:18Z", "sha256": "a849790638e062a67e51026ebcd7d23b06a5cb901a1b74ce74bcf09762511538", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T23:07:18.090204634Z" }, { "source": "kam193", "id": "pypi/2024-10-fake-usreagent/crypto-regex-checker", "modified_time": "2024-10-07T22:16:18Z", "sha256": "5c45daa914d609add30751587cc1a29bc16ab03d1b219dd66963d586bf1f6743", "versions": [ "1.6.7", "1.6.8", "1.6.9", "1.7.1", "1.7.2", "1.7.3", "1.7.4", "1.7.5" ], "import_time": "2025-12-10T21:38:57.382850753Z" }, { "source": "reversing-labs", "id": "RLUA-2026-00234", "modified_time": "2026-03-18T12:12:56Z", "sha256": "8b49764328c2b17f9c923880d94d095c52874734831fc0066d12a14bc442dc46", "import_time": "2026-03-19T12:19:36.989911471Z" } ] }- References
- Credits
-
-
- Kamil Mańkowski (kam193)
-
- Kamil Mańkowski (kam193) - REPORTER
-
- ReversingLabs - FINDER
-
Affected packages
PyPI / crypto-regex-checker
Package
- Name
- crypto-regex-checker
- View open source insights on deps.dev
- Purl
- pkg:pypi/crypto-regex-checker